Explained: How hackers use YouTube videos to trick people into installing malware
Security researchers recently discovered that cybercriminals are misusing YouTube to deliver powerful malware that can steal all kinds of information from your device. According to a TechRadar report, researchers from Cyble Research Laboratories encountered over 80 videos where all have “relatively few viewers” and are also owned by the same user.
How these youtube videos try to deceive the victims?
According to the report, these YouTube videos demonstrate how to exploit particular bitcoin mining software in an effort to convince viewers to download them. The report mentions that the download links are in the description of the video which is in “a password protected archive, to convince victims of its legitimacy”. Moreover, to make it more real, the downloaded archive also includes a link to VirusTotal which indicates that the file is “clean” and also warns users that “some anti-virus programs may trigger a false positive alert,” according to the report.
What is PennyWise and how does it affect its victims
The malware that spreads using Youtube videos is called PennyWise, which is capable of stealing all kinds of user data including system information, login credentials, cookies, encryption keys and passwords. main pass. The report also states that this malware can also steal Discord tokens and Telegram sessions while taking screenshots along the way.
Other than that, PennyWise can also scan the device for “potential cryptocurrency wallets, cold storage wallet data, and crypto-related browser add-ons.” The malware collects all of the aforementioned data, compresses it into a single file and sends it to a server under attackers’ control before self-destructing, the report suggests.
How PennyWise tries to hide from users
The report also warned users that PennyWise is able to analyze and be aware of its environment to ensure that it does not “operate in a defended environment”. When the malware discovers that it is in a sandbox or that a scanning tool is running on the device, it immediately stops all actions it has taken, according to the report.
Moreover, the researchers also discovered that the malware tends to completely stop all its operations when it discovers that the victim’s terminal is located in Russia, Ukraine, Belarus or Kazakhstan. The report also mentions that this behavior offers clues as to the operators’ affiliation.